1 2 Previous Next 10 Replies Latest reply on Oct 25, 2010 2:40 AM by mmialhe

    Managed State: Unmanaged

      We have an ePO 4.0 Patch4 with 443 clients/systems. I created a query to find all unmanaged systems. The result showed that from 184 systems 49 of them used to be managed. As soon as I send a wake up call it updates the status from unmanaged to managed. Is this normal? Why do systems switch to unmanaged state at all?

        • 1. Re: Managed State: Unmanaged

          Jsut noticed that wake up only changes the status for a short time. The computer is back to unmanaged state...

          • 2. Re: Managed State: Unmanaged

            Hi Sallo !

             

            I have the exact same issue than (PC switching from managed to unmanaged and back again to managed...)

            FYI even a wakeup call doesn't change the status for me

            did you solve it ?

             

            Thanks

            • 3. Re: Managed State: Unmanaged
              Attila Polinger

              Hello,

               

              my theory is that since your ePO 4.0 server is on Patch 4, that is not enough - to my memories - to prevent hosts with AgentGUID problems from calling in to the server. Something like this happens: first a valid and existing node checks-in updating the node record (in Detected Systems table) with the "Managed" status. Some time later the another node having AgentGUID problem checks-in, updating the same node record (in Detected Systems table) to Unmanaged.

              See: https://kc.mcafee.com/corporate/index?page=content&id=KB57344&actp=search&viewlo cale=en_US&searchid=1287659241106

               

              /to verify this, please pick one node and note down the IP address and MAC address when the node record shows "managed". Repeat this, when the node record shows "unmanaged". The two IPs should be different, just like the MACs./

               

              Patch 4 only allowed to manually gather statistics (by extending the database tables with the appropriate information) on the possible nodes with AgentGUDI problem, but it is only Patch 5 or above would prevent such problem nodes from checking in.

               

              I would recommend first patching your ePO server to the latest patch, thus closing the door for problem nodes, then when you feel that every node have attempted a new ASCI, create the report again. This should show you the hosts with AgentGUID problem.

               

              Attila

               

               

              Message was edited by: Attila Polinger on 10/21/10 1:11:50 PM CEST
              • 4. Re: Managed State: Unmanaged

                Thanks for your answer Attila! your theroy is interesting.

                Your AgentGUID explanation sound very much like what is occuring...

                 

                do you think the agent reinstallation will help on it (force instance force the uninstall and then reinstall the agent), I guess it will use a proper GUID no? or you think upgrade ePO is better

                BTW I'm running epo4.0 and agent 4.5 (not the latest with the patch1).

                Cheers

                • 5. Re: Managed State: Unmanaged
                  Attila Polinger

                  I think the AgentGUID problem is general and not dependent on agent versions. Even a 4.5 agent can have AgentGUID problem. It is most likely the improper computer opsys imaging practice that is responsible for this: because the image was prepared from a master without deleting this AgentGUDI registry key. then every clone from that master will have the same AgentGUID as the master.

                   

                  Until the master image is not corrected properly to stop cloning faulty client images, with ePO 4.0 server, the only simple client fix was to stop McAfee Framework Service, delete the AgentGUID reg key and start the McAfee Framework service, which will regenerate the AgentGUID. There is no direct need to reinstall the McAfee agent, although this is another possible solution but a little bit simplistic

                   

                  You first need to patch up your ePO 4.0 so it rejects illegal clients. Then you'd be able to fix clients. Complete solution requires both actions.

                   

                  There is an elegant way of solving the problem though: to upgrade the ePO server to version 4.5 latest patch. Since you said you only have agents 4.5, the new ePO version can tell problem agents to regenerate their GUIDs. This is a new function of the MA 4.5. I never tried it because we are not on MA 4.5.

                   

                  Attila

                   

                   

                  Message was edited by: Attila Polinger on 10/21/10 2:57:52 PM CEST
                  • 6. Re: Managed State: Unmanaged

                    yes that was I thought at the beginning when this issue was occuring, but when we reimage PC we format them before, so I guess the AgentGUID key is removed from the client during this process...except if it stays on ePO ?

                    • 7. Re: Managed State: Unmanaged
                      rmetzger

                      mmialhe wrote:

                       

                      yes that was I thought at the beginning when this issue was occuring, but when we reimage PC we format them before, so I guess the AgentGUID key is removed from the client during this process...except if it stays on ePO ?

                      Well, jumping in here and not wanting to step on Attila Polinger's statements, the AgentGUID is In the Image you created and not removed unless you specifically remove the registry entry just prior to making the image (and before a reboot or a restart of the Framework Services.)

                       

                      Below is a batch file that clears AgentGUID and MacAddress. Since the Image is already constructed, you can run this after the image is restored but Before the first ASCI occurs. Alternatively, create a new Image but run this before creating the new image.

                      DeleteAgentGUID.bat:

                       

                      @echo off
                      title  McAfee AgentGUID and MacAddress Removal Tool - by Ron Metzger

                          echo.
                          echo  The McAfee Agent communicates with ePO, Protection
                          echo  Pilot, or McAfee's update services, using registry
                          echo  values of AgentGUID and MacAddress, to uniquely
                          echo  identify each system. Imaging or duplicating a
                          echo  system breaks these unique identifiers. Clearing
                          echo  these values, followed by a reboot or services
                          echo  restart, repopulates these values with new and
                          echo  unique entries.
                          echo.
                          echo  Prior to duplication (pre-image deployment), clear
                          echo  these registry entries and create the image before
                          echo  restarting services or rebooting.
                          echo.
                          echo  Otherwise (post-image deployment),
                          echo.
                          echo  After duplication, clear these values, then reboot
                          echo  or restart the services.
                          echo.
                          echo  VSE v8.7i (or above) by default, self-protects
                          echo  against certain changes. In order to make either
                          echo  registry change, temporarily disable the self-
                          echo  protection settings within VSE v8.7i (or above).
                          echo.
                          echo  From the VirusScan Console:
                          echo  Access Protection > Properties
                          echo    Uncheck 'Prevent McAfee services from being stopped'
                          echo    Common Standard Protection
                          echo      Uncheck (un)Block 'Prevent modification of McAfee files and settings'
                          echo      Uncheck (un)Block 'Prevent modification of McAfee Common Management Agent'
                          echo.
                          Choice.exe /C:YN /N " Press  Y  to continue,  N  to skip . . . ?"
                          if ErrorLevel 2 goto Exit

                          echo  Stopping services . . .
                          net stop McAfeeFramework /yes
                          net stop McShield /yes
                          net stop McTaskManager /yes
                          echo  Stopping services, done.

                          echo  Deleting registry entries . . .
                          REG delete "HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent" /v AgentGUID /F
                          REG delete "HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent" /v MacAddress /F

                          REG delete "HKLM\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent" /v AgentGUID /f
                          REG delete "HKLM\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent" /v MacAddress /f
                          echo  Deleting registry entries, done.

                          echo.
                          echo  Please re-enable the self-protection settings within
                          echo  VSE v8.7i (or above) to there original values.
                          echo.
                          echo  From the VirusScan Console:
                          echo  Access Protection > Properties
                          echo    Check 'Prevent McAfee services from being stopped'
                          echo    Common Standard Protection
                          echo      Check Block 'Prevent modification of McAfee files and settings'
                          echo      Check Block 'Prevent modification of McAfee Common Management Agent'
                          echo.
                          Choice.exe /C:YN /N " Press  YN  to continue . . ."
                          echo.
                          echo  About to restart McAfee services.
                          echo  This will repopulate AgentGUID and MacAddress values.
                          echo.
                          echo  Please do Not start these services if Imaging this system Now. (Choose Skip.)
                          echo.
                          Choice.exe /c:YN /T:N,15 /N " Restart Services?  Y  to continue,  N [or wait 15 seconds]  to skip . . ."
                          if ErrorLevel 2 goto Exit

                          echo  Starting services . . .
                          net start McAfeeFramework /yes
                          net start McShield /yes
                          net start McTaskManager /yes
                          echo  Starting services, done.
                          Choice /c:YN /T:Y,15 /N " Press  YN [or wait 15 seconds]  to continue . . ."

                      :Exit

                      Hopefully this is helpful.

                      Ron Metzger

                      • 8. Re: Managed State: Unmanaged

                        Thanks Ron, that helps!

                        but to be safe we didn't put McAfee agent in the image, so basically the PC is formatted, image is pushed and only then we installed the agent so I don't get why we would have AgentGUID issue? except if EPO keep track of the previous GUID used? Does that make sense?

                        Cheers

                        • 9. Re: Managed State: Unmanaged
                          rmetzger

                          mmialhe wrote:

                           

                          Thanks Ron, that helps!

                          but to be safe we didn't put McAfee agent in the image, so basically the PC is formatted, image is pushed and only then we installed the agent so I don't get why we would have AgentGUID issue? except if EPO keep track of the previous GUID used? Does that make sense?

                          Cheers

                          Unless I am completely mistaken, there is an Agent included in VSE (whether you are configured to update from an ePO server or not). So, by default, you have the AgentGUID, whether you like it or not, built in to your master image. Once the image is pushed, with VSE included, the AgentGUID that Exists in VSE's default install Agent, is pushed as well. I am not sure if installing the Agent again changes the existing AgentGUID. My guess is Not.

                           

                          By running the batch file just prior to creating your master image, the AgentGUID (and MacAddress) is removed from the system, so that the first time you boot the new image normally, a new AgentGUID is constructed, presumably unique.

                           

                          Alternatively, you could run the batch file (post image push) after the first boot, just prior to installing the new agent and rebooting when done.

                           

                          Ron Metzger

                          1 2 Previous Next